Simulate a social engineering attack on elements of your organisation
Gauge the effectiveness of information security awareness training
Improve the resilience of your organisation to social engineering and phishing attacks
The majority of recent high profile cyber attacks against top tier organisations have been successful because they have breached the perimeter through targeted social engineering attacks, otherwise known as ‘spear phishing’.
These attacks identify the contact details of potentially vulnerable people within the organisation and use a specially targeted attack vector which is likely to result in the execution of malicious code. Typically this involves crafting an email which would be of interest to the victim incorporating embedded malware, in the email itself or as an attachment.
Once the code has been executed, it will then use network architecture weaknesses to establish command and control connections with the attacker who can then commence attacks on internal network resources. It is then generally straightforward to identify accessible stores of internal information assets (given access will have been gained with the credentials of the compromised user) and export them over the Internet using usually benign and innocuous protocols such as web connections.
Furthermore, other attack vectors often include using phone calls to staff, usually under the guise of IT personnel or a senior member of staff and attempting to entice them into performing a task that would also have adverse consequences for the organisation’s information security.
A defence-in-depth strategy for the protection of information assets should include all elements of security controls, including physical, procedural and technical. As such, it is essential that personnel within the organisation are adequately briefed on information security awareness, how to identify and report potentially malicious emails and the inherent risks associated with opening them.
The Xhackster simulation will effectively identify an organisation’s susceptibility to social engineering attacks, whether delivered via email, instant messaging, telephone calls or face-to-face within the client’s premises. As part of the assessment, we can use open source intelligence gathering to attempt to identify people within the organisation or target a specific team or function that the client determines should be the subject of the investigation.
We will then systematically target those individuals with a bespoke attack which we believe (in co-ordination with the client) has the highest probability of success. All attempts will incorporate a means to measure the success and may also determine whether it would be possible to breach the architecture and establish outbound command and control connections.
The output of the exercise shall position the effectiveness of information security awareness within the organisation, statistics on successful and unsuccessful attempts, details on whether it was possible to compromise the perimeter and to provide a detailed set of issues alongside pragmatic remedial activities that can be used to make improvements.